Skip to main content

ServiceNow Incidents - Advanced Customization

Advanced customization options are available in the ServiceNow Incidents integration.

BigPanda - ServiceNow v3 incident data

When a BigPanda incident is shared to ServiceNow, the integration creates a record in the ServiceNow incident table. The integration also exposes additional data fields that can be used to customize the incident during transform. If alerts on open incidents change, BigPanda updates the corresponding ServiceNow incident. Updates are checked every 15 seconds by default.

ServiceNow field default values

Field

Default Value

short_description

BigPanda Incident: {Primary tag of Primary Alert} - {Primary Alert status}

description

Incident summary, alert summary counts, BigPanda root causes, incident and alert tags, and links to the BigPanda incident, timeline, and preview.

opened_at

BigPanda incident startedOn time.

resolved_at

BigPanda incident endedOn time.

comments

BigPanda comments (by default mapped to the work_notes column in ServiceNow).

Custom short description

You can customize the short description without modifying the transform script for the short_description field in the field map. Create a composition tag named bp_short_description with the alert tag values you want. When this field is present, the short_description follows the composition format and appends the status or priority value.

Additional data fields from BigPanda

The integration exposes the following additional data fields from BigPanda on the incoming share record. Administrators can reference these fields in transform rules or transform scripts to further customize the incident.

Field

Description

u_bp_incident_id

BigPanda incident ID

u_bp_incident_status

BigPanda incident status

u_bp_alerts_statuses

Text summary of statuses of all alerts in the incident

u_bp_alerts_count

The total count of alerts in the incident

u_bp_active_alerts_count

The count of non-resolved alerts in the incident

u_bp_environment

The BigPanda environment the share originated from

u_bp_environment_id

The BigPanda environment ID

u_bp_sender_email

Email of the user who performed the share. For AutoShare, this is bigpanda@bigpanda.io

u_bp_raw_incident

String representation of the entire BigPanda incident JSON object

u_bp_incident_url

Link to the BigPanda incident

u_bp_timeline_url

Link to the BigPanda incident timeline

u_bp_preview_url

Link to the public BigPanda incident preview

u_bp_cmdb_ci

The property to look up on the defined primary alert tags when populating the ServiceNow configuration item field Default: hostname

u_bp_config

Any configuration options passed through the integration header; overrides ServiceNow-side configuration

Sample payload

{
   "u_bp_environment_id": "###BigPanda Environment ID###",
   "u_bp_incident_id": "###BigPanda Incident ID###",
   "u_bp_incident_status": "critical",
   "u_bp_alerts_statuses": "1 Critical, 0 Warning, 0 Resolved",
   "u_bp_alerts_count": 1,
   "u_bp_active_alerts_count": 1,
   "u_bp_environment": "All",
   "u_bp_sender_email": "abelincoln@bigpanda.io",
   "u_bp_raw_incident": "<JSON of incident>",
   "u_bp_incident_url": "<URL for incident>",
   "u_bp_timeline_url": "<URL for incident timeline>",
   "u_bp_preview_url": "<Public URL for incident>",
   "u_bp_priority": "priority",
   "short_description": "BigPanda Incident: Gettysburg 2",
   "description": "Alerts Summary: 1 Critical, 0 Warning, 0 Resolved\n\nIncident Link: <URL>",
   "opened_at": 1651188304,
   "resolved_at": null,
   "comments": null,
   "u_bp_config": "{}"
}

To view the full list of fields and the actual data associated with a share, enter x_bip_panda_shareincident.list in the ServiceNow search menu.

Transform Map Best Practices

  • Map BigPanda tags 1:1 to ServiceNow fields where possible - A clean direct mapping is easier to maintain and scale than transform logic that transforms or combines fields.

  • Prefer the Transform Rules Engine over custom transform scripts - Rules are versioned, auditable, and support dry-run mode.

  • Isolate scripted logic - If you must write a transform script, keep each script responsible for a single field — shared scripts are harder to debug and more prone to regression.

  • Use the BigPanda utility helpers - The BigPandaUtility script include exposes helpers such as getIncident(), getIncidentTag(), getPrimaryAlert(), and canUpdate() so you can avoid re-parsing the share payload.

ShareIncident Transform Map

The ShareIncident Transform map is where customization of fields in the ServiceNow incident are performed. Insertion, deletion, or modification of specific columns is achieved by adding, removing, or modifying rows to the map and providing the assigned value, either as a mapped or scripted field. While the same behavior is possible using a Transform Script, modifying the transform map table is clearer and isolates the logic used to generate the field.

Customize Transform Fields

Customize transform field configuration to fit your organization's needs.

Add Alert Details to Description

  1. Navigate to BigPanda > Incidents > Transform Map.

  2. Find the row where the target field is description.

  3. Click on the script.

  4. You will notice the BigPanda Utility class is already being referenced. Starting on line 13, the BigPanda Incident is being retrieved to traverse each alert and add it to the description field.

1  answer = (function transformEntry(source) {
2	 // Instantiate BigPanda Utility Object with source
3	 var bpUtils = new x_bip_panda.BigPandaUtility(source);
4	 var description = null;
5	
6	 // Validates if this field can be updated on an update action
7	 if (bpUtils.canUpdate(action, 'description')) {
8	  	description = source.description;
9	 }
10	
11	// Example of custom logic
12	// Retrieve the BigPanda Incident Data
13	var incident = bpUtils.getIncident().incident;
14	for (var i = 0; i < incident.alerts.length; i++) {
15		description += '\nAlert ' + (i + 1) + '\nStatus: ' + incident.alerts[i].status + '\nDescription: ' + incident.alerts[i].description;
16	}
17
18	return description;
19  })(source);
Capturing Alert Tag

When multiple alerts correlate to form a single BigPanda incident, a primary alert can be defined which helps to accurately categorize the incident. By default, the oldest, most severe alert serves as the primary alert. However, the criteria can be changed in the configuration section of the app. Once the primary alert is defined, various tags/properties from that alert can be captured to form the ServiceNow incident fields.

The snippet below can be used if attempting to capture a tag from your defined primary alert within the BigPanda Incident.

1   answer = (function transformEntry(source) {
2   // Instantiate BigPanda Utility Object with source
3   var bpUtils = new x_bip_panda.BigPandaUtility(source);
4   var desiredTag;
5
6   // Validates if this field can be updated on an update action
7   // If the TARGET_FIELD_NAME is not added to the update fields 
8   // input within the BigPanda Configuration form, then this
9   // will only work on Incident creations
10	if (bpUtils.canUpdate(action, '<TARGET_FIELD_NAME>')) {
11		desiredTag = bpUtils.getPrimaryAlertTag('<DESIRED_ALERT_TAG>');
12	}
13
14  return desiredTag;
15  })(source);
Capturing Incident Tags

The snippet below can be used to retrieve the Incident Tags of the BigPanda Incident.

1  answer = (function transformEntry(source) {
2  // Instantiate BigPanda Utility Object with source
3  var bpUtils = new x_bip_panda.BigPandaUtility(source);
4
5  // Getting all Incident Tags
6  var incidentTags = bpUtils.getIncidentTags();
7  /* Return Schema for Incident Tags
8    [
9      {
10        id: 'some_id',
11        name: 'Incident Tag Name',
12        value: 'SOME_VALUE'
13        type: 'INCIDENT_TAG_TYPE' ('text', 'multivalue', 'priority')
14      }
15    ]
16  */
17
18  // Getting a single Incident Tag
19  var incidentTag = bpUtils.getIncidentTag('some tag name');
20
21  // Getting the Priority Incident Tag
22  var priority = bpUtils.getPriorityIncidentTag();
23
24  var desiredTag;
25
26  // Validates if this field can be updated on an update action
27  // If the TARGET_FIELD_NAME is not added to the update fields 
28  // input within the BigPanda Configuration form, then this
29  // will only work on Incident creations
30  if (bpUtils.canUpdate(action, '<TARGET_FIELD_NAME>')) {
31    // CUSTOM LOGIC GOES HERE
32  }
33
34  return desiredTag;
35  })(source);

Header needed

For the incident tags to have this enriched schema, confirm the x-bp-api-key header is added to the configuration of the integration within the BigPanda Console under the integrations tab.

Custom Headers

BigPanda lets you specify customized information with your integration through Custom Headers. If you have not been granted administrator access to the integration system, you can modify the integration through custom headers.

Custom header priority

Custom headers take priority over the fields you configure on the Integration page.

Common custom headers for the ServiceNow integration include:

  • x-bp-api-key - Required to enable the enriched incident-tag schema on the ServiceNow side.

  • x-bp-config-org-id - Required. Must match the BigPanda org name for the organization. Without this header, the integration cannot select the correct configuration record.

  • x-bp-config-servicenowUrlOverride - Overrides the ServiceNow target URL to support an intermediate custom implementation (typically for complex security requirements).

See the Custom Headers documentation for more details.

OAuth 2.0 Support

BigPanda supports OAuth 2.0 for ServiceNow incident creation. In order to add OAuth provider details within the BigPanda ServiceNow integration, add the following custom headers. Once OAuth details are added, any Basic Auth credentials are ignored when making requests to ServiceNow.

  • x-bp-config-oauthUrl

  • x-bp-config-oauthClientId

  • x-bp-config-oauthClientSecret

  • x-bp-config-oauthGrantType

  • (optional; required for oauthGrantType of password) x-bp-config-oauthPassword

  • (optional; required for oauthGrantType of password) x-bp-config-oauthUser

  • (optional) x-bp-config-oauthScope

The recommended oauthGrantType is password. The OAuth user in ServiceNow must have the x_bip_panda.user role assigned. Supported grant types are password and client_credentials.

OAuth support is available for ticket creation via the push mechanism only, not for polling from ServiceNow.

Remove default webhook credentials

After the OAuth fields are enabled and configured, delete the default webhook fields x-bp-config-servicenowPassword and x-bp-config-servicenowUsername by selecting the minus sign button to the left of the row. Once these fields are deleted, the system will use OAuth values instead.

Class: BigPandaUtility

A Script Include library of functions called BigPandaUtility has been created to make common tasks easier.

new BigPandaUtility(source)

  • source ServiceNow source record (library may only be used when a source is defined)

The initialization function must be called before calling other library functions.

getIncident()

Returns the BigPanda Share payload

getIncidentTags()

Returns an array of Incident Tags (See example above for return schema)

getIncidentTag(tag_name)

  • tag_name Name of the Incident Tag to retrieve

    Returns the value for the provided incident tag. Returns null if no match is found

getPriorityIncidentTag()

Returns the value for the provided priority Incident Tag. Returns null if not found

getPrimaryAlert()

Returns Primary Alert object as determined by setPrimaryAlert.

getPrimaryAlertStatus()

Returns a String representing the Primary Alert status.

getPrimaryAlertValue(<field>)

Fields pull data from the parent primary alert object.

Example:

            "id": "66bb727c231b20cf7a8e2555",
			"status": "Ok",
			"startedOn": 1723560565,
			"endedOn": 1723827972,
			"changedOn": 1723827972,
			"updatedOn": 1723827972,
			"active": false,
			"primaryProperty": "host",
			"secondaryProperty": "check",
			"sourceSystem": "api.app_mon",
			"description": "mongo-123 is reporting slowness in database transaction completion",

This command returns the value of the specified field within Primary Alert, or null if it doesn't exist.

getPrimaryAlertTag(<tag>)

Tags pull data from the tags child object.

          "tags": [{
				"name": "host",
				"value": "ca-prod-monitoring-order-dist-6iu702"
			}, {
				"name": "instance",
				"value": ["nyc-snmo-ais97"]
			}

This command returns the value of the specified tag within Primary Alert, or null if it does not exist.

getAlertStatusCounts()

Returns String containing alert counts: X Critical, Y Warning, Z Resolved [U Unknown]. The unknown value is present only when some alerts have no status.

getTimeByProperty(epochTime, property)

  • epochTime epoch time used as fallback source value

  • property field containing epochTime in source record to convert

Returns String containing ServiceNow formatted time. Generated from field property if it exists in source, otherwise, epochTime is used.

getUserByProperty(userEmail, property)

  • userEmail fallback value used for email

  • property field containing user email in source record

Returns the ServiceNow system id for the provided user email. Generated from field property if it exists in source, otherwise, userEmail is used.

getUpdateFields()

Returns list of fields to be updated during an update event.

reopenIncident(incident)

  • incident source record to determine reopening

Returns Boolean whether the incident should be reopened. Returns true if Re-open Resolved is checked in the Configuration UI and the time since the incident was resolved less than Re-open Window minutes ago.

In this section: